BookStack Code Mirror - bookstack/blobdiff - tests/Entity/ExportTest.php

index 4c6fb1a74f43da2c09011c42f9dabb1267bca328..9ea336db8ff191592515e8ff94b9a7bf16962b0c 100644 (file)

--- a/tests/Entity/ExportTest.php

+++ b/tests/Entity/ExportTest.php

@@ -2,6 +2,7 @@

namespace Tests\Entity;

+use BookStack\Auth\Role;

use BookStack\Entities\Models\Book;

use BookStack\Entities\Models\Chapter;

use BookStack\Entities\Models\Page;

@@ -138,7 +139,7 @@ class ExportTest extends TestCase

$this->setSettings(['app-custom-head' => $customHeadContent]);

$resp = $this->asEditor()->get($page->getUrl('/export/html'));

- $resp->assertSee($customHeadContent);

+ $resp->assertSee($customHeadContent, false);

}

public function test_page_html_export_does_not_break_with_only_comments_in_custom_head()

@@ -150,7 +151,7 @@ class ExportTest extends TestCase

$resp = $this->asEditor()->get($page->getUrl('/export/html'));

$resp->assertStatus(200);

- $resp->assertSee($customHeadContent);

+ $resp->assertSee($customHeadContent, false);

}

public function test_page_html_export_use_absolute_dates()

@@ -187,7 +188,7 @@ class ExportTest extends TestCase

Storage::disk('local')->delete('uploads/images/gallery/svg_test.svg');

$resp->assertStatus(200);

- $resp->assertSee('<img src="data:image/svg+xml;base64');

+ $resp->assertSee('<img src="data:image/svg+xml;base64', false);

}

public function test_page_image_containment_works_on_multiple_images_within_a_single_line()

@@ -223,9 +224,37 @@ class ExportTest extends TestCase

$storageDisk->delete('uploads/images/gallery/svg_test.svg');

$storageDisk->delete('uploads/svg_test.svg');

- $resp->assertDontSee('http://localhost/uploads/images/gallery/svg_test.svg');

+ $resp->assertDontSee('http://localhost/uploads/images/gallery/svg_test.svg', false);

$resp->assertSee('http://localhost/uploads/svg_test.svg');

- $resp->assertSee('src="/uploads/svg_test.svg"');

+ $resp->assertSee('src="/uploads/svg_test.svg"', false);

+ }

+ public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local()

+ {

+ $contents = file_get_contents(public_path('.htaccess'));

+ config()->set('filesystems.images', 'local');

+ $page = Page::query()->first();

+ $page->html = '<img src="http://localhost/uploads/images/../../.htaccess"/>';

+ $page->save();

+ $resp = $this->asEditor()->get($page->getUrl('/export/html'));

+ $resp->assertDontSee(base64_encode($contents));

+ }

+ public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure()

+ {

+ $testFilePath = storage_path('logs/test.txt');

+ config()->set('filesystems.images', 'local_secure');

+ file_put_contents($testFilePath, 'I am a cat');

+ $page = Page::query()->first();

+ $page->html = '<img src="http://localhost/uploads/images/../../logs/test.txt"/>';

+ $page->save();

+ $resp = $this->asEditor()->get($page->getUrl('/export/html'));

+ $resp->assertDontSee(base64_encode('I am a cat'));

+ unlink($testFilePath);

}

public function test_exports_removes_scripts_from_custom_head()

@@ -304,7 +333,7 @@ class ExportTest extends TestCase

$page->save();

$resp = $this->asEditor()->get($page->getUrl('/export/markdown'));

- $resp->assertSee("# Dogcat\n\n<p class=\"callout info\">Some callout text</p>\n\nAnother line");

+ $resp->assertSee("# Dogcat\n\n<p class=\"callout info\">Some callout text</p>\n\nAnother line", false);

}

public function test_page_markdown_export_handles_bookstacks_wysiwyg_codeblock_format()

@@ -316,7 +345,7 @@ class ExportTest extends TestCase

$page->save();

$resp = $this->asEditor()->get($page->getUrl('/export/markdown'));

- $resp->assertSee("# Dogcat\n\n```JavaScript\nvar a = 'cat';\n```\n\nAnother line");

+ $resp->assertSee("# Dogcat\n\n```JavaScript\nvar a = 'cat';\n```\n\nAnother line", false);

}

public function test_chapter_markdown_export()

@@ -340,4 +369,45 @@ class ExportTest extends TestCase

$resp->assertSee('# ' . $chapter->name);

$resp->assertSee('# ' . $page->name);

}

+ public function test_export_option_only_visible_and_accessible_with_permission()

+ {

+ $book = Book::query()->whereHas('pages')->whereHas('chapters')->first();

+ $chapter = $book->chapters()->first();

+ $page = $chapter->pages()->first();

+ $entities = [$book, $chapter, $page];

+ $user = $this->getViewer();

+ $this->actingAs($user);

+ foreach ($entities as $entity) {

+ $resp = $this->get($entity->getUrl());

+ $resp->assertSee('/export/pdf');

+ }

+ /** @var Role $role */

+ $this->removePermissionFromUser($user, 'content-export');

+ foreach ($entities as $entity) {

+ $resp = $this->get($entity->getUrl());

+ $resp->assertDontSee('/export/pdf');

+ $resp = $this->get($entity->getUrl('/export/pdf'));

+ $this->assertPermissionError($resp);

+ }

+ public function test_wkhtmltopdf_only_used_when_allow_untrusted_is_true()

+ {

+ /** @var Page $page */

+ $page = Page::query()->first();

+ config()->set('snappy.pdf.binary', '/abc123');

+ config()->set('app.allow_untrusted_server_fetching', false);

+ $resp = $this->asEditor()->get($page->getUrl('/export/pdf'));

+ $resp->assertStatus(200); // Sucessful response with invalid snappy binary indicates dompdf usage.

+ config()->set('app.allow_untrusted_server_fetching', true);

+ $resp = $this->get($page->getUrl('/export/pdf'));

+ $resp->assertStatus(500); // Bad response indicates wkhtml usage

+ }

}